pomerium/pomerium v0.30.0

on GitHub

What's Changed

v0.30.0 introduces new Native SSH Access. Now Pomerium can proxy SSH connections directly — no need for pomerium-cli or the Pomerium Desktop client.

This release also includes experimental MCP support.

Other highlights

The Direct IdP Token Authentication feature has been expanded to work with all supported identity providers.

There is a new route option to help deal with CORS issues: see Additional Login Redirect Hosts for more information.

The JWT Issuer Format option is now available as a global setting, in addition to the existing per-route option.

There are new metrics for database connection pool usage, authorize service cache hit rate, and direct IdP token verification.

Some JSON log entry attributes names have changed, to standardize on hyphen separators rather than the previous mix of hyphens and underscores.

There is a new sync querier for the Authorize service that implements Query using an in-memory store of synced records for sessions, users and groups, rather than records being queried when needed. This should improve performance. It can be disabled with the authorize_use_synced_data runtime flag.

New

• experimental MCP support by @wasaga
• native SSH proxy support by @kralicky, @kenjenkins, and @calebdoxsey
• add global jwt_issuer_format option by @kenjenkins in #5508
• multi-domain login redirects by @kenjenkins in #5564
• storage: support ip address indexing for the in-memory store by @calebdoxsey in #5568
• storage: add sync querier by @calebdoxsey in #5570
• authenticate: add support for apple identity tokens by @calebdoxsey in #5610
• identity: add IdP access and identity token verification for OIDC by @calebdoxsey in #5614
• identity: add access token support for github by @calebdoxsey in #5615
• config: use stable route ids for authorize matching and order xds responses by @calebdoxsey in #5618
• databroker: add a wait field to sync request by @calebdoxsey in #5630
• databroker: add sync-cache by @calebdoxsey in #5639
• cryptutil: add a function to normalize PEM files so that leaf certificates appear first by @calebdoxsey in #5642
• envoyconfig: add additional local reply mappers for gRPC by @calebdoxsey in #5644
• ppl: add in string matcher by @wasaga in #5651
• config: add circuit breaker thresholds by @calebdoxsey in #5650

Fixes

• storage: invalidate sync querier when records are updated by @calebdoxsey in #5612

Changed

• testutil: use cmp.Diff in protobuf json assertion by @wasaga in #5517
• zero/grpc: use hostname for proxied grpc calls by @wasaga in #5520
• config: fix jwt_issuer_format conversion by @kenjenkins in #5524
• remove the legacy identity manager by @kenjenkins in #5528
• metrics: reduce gc pressure by @wasaga in #5530
• authorize: return 403 on invalid sessions by @calebdoxsey in #5536
• add tests/benchmarks for http1/http2 tcp tunnels and http1 websockets by @kralicky in #5471
• proxy: use querier cache for user info by @calebdoxsey in #5532
• core/envoyconfig: make adding ipv6 addresses to internal cidr list conditional on ipv6 support on the system by @wasaga in #5538
• move internal/telemetry/trace => pkg/telemetry/trace by @kralicky in #5541
• databroker: preserve data type when deleting changeset by @calebdoxsey in #5540
• only support loading idp tokens via bearer tokens by @calebdoxsey in #5545
• return errors according to accept header by @calebdoxsey in #5551
• upgrade to go v1.24 by @calebdoxsey in #5562
• add support for pomerium.request.headers for set_request_headers by @calebdoxsey in #5563
• add v0.29.0 release notes by @wasaga in #5515
• storage: add minimum record version hint by @calebdoxsey in #5569
• API changes for multi-domain login redirects by @kenjenkins in #5565
• cleanup logs by @calebdoxsey in #5571
• logging: standardize on hyphens in attribute names by @kenjenkins in #5577
• authorize: refactor logAuthorizeCheck() by @kenjenkins in #5576
• add additional authorization check logs by @calebdoxsey in #5598
• Fix comment grammar by @desimone in #5621
• Fix typo in Seal comment by @desimone in #5620
• config: support weighted URLs in To field by @calebdoxsey in #5624
• add metrics for cache by @calebdoxsey in #5627
• core: more metrics by @calebdoxsey in #5629
• fix metric to use milliseconds by @calebdoxsey in #5632
• fix pem normalization when file has no trailing newline by @calebdoxsey in #5645
• cryptutil: fix normalize pem with certificate cycles by @calebdoxsey in #5646
• envoyconfig: add test for local reply by @calebdoxsey in #5648
• pgxpool: enable metrics by @wasaga in #5653
• telemetry: backport component by @wasaga in #5655
• oauth: add minimal device auth support for ssh by @kralicky in #5657
• metrics: bump pgxpool stats package by @wasaga in #5671
• Add build options to configure envoy to be launched from an external binary by @kralicky in #5669
• testenv: do not attempt to shutdown pomerium if it fails to start by @kralicky in #5679
• config: allow URLs in depends_on by @kenjenkins in #5689
• config: migrate deprecated cluster DNS settings by @kenjenkins in #5690
• querier: stop sync backoff on cancel error code by @kralicky in #5697
• authorize: add request body logging by @wasaga in #5696

Dependency Updates

• chore(deps): bump golang.org/x/net from 0.35.0 to 0.36.0 by @dependabot in #5526
• chore(deps): bump @babel/helpers from 7.24.4 to 7.26.10 in /ui by @dependabot in #5523
• chore(deps): bump the docker group with 3 updates by @dependabot in #5558
• chore(deps): bump the github-actions group with 7 updates by @dependabot in #5557
• chore(deps): bump the go group with 39 updates by @dependabot in #5559
• chore(deps): bump @babel/runtime from 7.24.4 to 7.26.10 in /ui by @dependabot in #5522
• chore(deps): bump the docker group with 2 updates by @dependabot in #5597
• chore(deps): bump the github-actions group with 5 updates by @dependabot in #5600
• chore(deps): bump the docker group in /.github with 3 updates by @dependabot in #5603
• upgrade google.golang.org/grpc/health/grpc_health_v1 by @calebdoxsey in #5605
• chore(deps): bump github.com/open-policy-agent/opa from 1.3.0 to 1.4.0 by @dependabot in #5609
• chore(deps): bump the go group across 1 directory with 31 updates by @dependabot in #5608
• chore(deps): bump the docker group with 3 updates by @dependabot in #5635
• chore(deps): bump the github-actions group across 1 directory with 3 updates by @dependabot in #5641
• chore(deps): bump the docker group in /.github with 3 updates by @dependabot in #5637
• chore(deps): bump the go group with 24 updates by @dependabot in #5638
• chore(deps): bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 by @dependabot in #5677
• chore(deps): bump the docker group with 3 updates by @dependabot in #5682
• chore(deps): bump github.com/go-chi/chi/v5 from 5.2.1 to 5.2.2 by @dependabot in #5661
• chore(deps): bump the docker group in /.github with 2 updates by @dependabot in #5681
• chore(deps): bump the github-actions group with 2 updates by @dependabot in #5683

Full Changelog: v0.29.4...v0.30.0